Issue #8685: KDC cert has no SAN DNSname - freeipa

freeipa

#8685 KDC cert has no SAN DNSname

Closed: fixed 3 years ago by frenaud. Opened 3 years ago by cheimes.

Issue

KDC cert has no DNSName entry in subject alternative name. The problem is caused by a combination of three bugs:

krbinstance calls certmonger.request_and_wait_for_cert() with parameter dns=self.fqdn instead of dns=[self.fqdn].
certmonger helpers seem to silently ignore the DNS parameter when it's a string instead of a list of strings.
CA profile KDCs_PKINIT_Certs has no commonNameToSANDefaultImpl policy

Steps to Reproduce

openssl x509 -text -in /var/kerberos/krb5kdc/kdc.crt

Actual behavior

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 10 (0xa)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: O = IPA23.TEST, CN = Certificate Authority
        Validity
            Not Before: Jan 29 07:33:42 2021 GMT
            Not After : Jan 30 07:33:42 2023 GMT
        Subject: O = IPA23.TEST, CN = server.ipa23.test
        ...
        X509v3 extensions:
        ...
            X509v3 Subject Alternative Name: 
                othername:<unsupported>, othername:<unsupported>

Expected behavior

        X509v3 extensions:
        ...
            X509v3 Subject Alternative Name: 
                DNS:server.ipa23.test, othername:<unsupported>, othername:<unsupported>

Version/Release/Distribution

freeipa-server-4.10.0.dev202101260524+git30f82e2c8d-0.fc33

Metadata Update from @cheimes:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/5495

3 years ago

rcritten commented 3 years ago

master:

24a5d4d Ensure that KDC cert has SAN DNS entry

frenaud commented 3 years ago

ipa-4-9:

5ab290a Ensure that KDC cert has SAN DNS entry

frenaud commented 3 years ago

ipa-4-8:

79cdd1d Ensure that KDC cert has SAN DNS entry

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

3 years ago

Metadata

Assignee

None

Tags

None

Blocking

None

Depending on

None

Priority

None

Milestone

None

affects_doc

None

source

None

knownissue

None

type

None

blockedby

None

test_case

None

component

None

blocking

None

on_review

https://github.com/freeipa/freeipa/pull/5495

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

None

tester

None

changelog

None

design

None

freeipa

Source Code

#8685 KDC cert has no SAN DNSname Closed: fixed 3 years ago by frenaud. Opened 3 years ago by cheimes.

Issue

Steps to Reproduce

Actual behavior

Expected behavior

Version/Release/Distribution

Metadata

#8685 KDC cert has no SAN DNSname

Closed: fixed 3 years ago by frenaud. Opened 3 years ago by cheimes.